Password Spraying on Windows

Let’s say you gain access to a Windows machine and want to spread laterally across the environment. One way to gain a better foothold is to guess other user’s passwords. However, you want to be extremely careful about account lockout, especially if you are testing in a production environment. The last thing you want is to create a massive denial of service…that would be extremely embarrassing and could potentially cost you future pentesting work.

Here is an efficient method using Windows commands (no tools required) to guess passwords that will avoid account lockout and can be done as a non-privileged user:

  1. Use the net view command to display a list of computers in your current domain.
  1. Use the net user /domain command to list all of the potential user accounts. Copy and paste the user accounts into a file called user.txt.
  1. Run the net accounts command and take note of the following fields:
  • Minimum Password Length: This setting determines the least number of characters that a password for a user account may contain.
  • Lockout Threshold: This setting determines the number of failed logon attempts that causes a user account to be locked out
  • Lockout Duration (minutes): This setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked.
  • Lockout Observation Window (minutes): This setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.
  1. Generate n passwords where n is equal to one less than the lockout threshold value and write them to a file called pass.txt. Try to think of the most likely passwords that meet the minimum length requirement (as well as complexity if you think they have complexity enabled). If the value of Lockout Duration or Lockout Observation Window is greater than an hour, you may want to consider only guessing two passwords less than the threshold to account for normal users entering their passwords wrong and locking themselves out.
  1. Use the following one-liner (taken from the excellent SANS 504 course taught by John Strand) to attempt to guess the passwords and write any successes to a separate file:

for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & net use \\[targetIP] %j /u:%i 2>nul && echo %i:%j >> success.txt && net use \\[targetIP] /del

This command uses for loops to iterate through your user and pass files, using the usernames and passwords as variables (%i and %j) as the username and password input for the net use command,  which will attempt to connect your attacking system to the target system. If the net use command is successful, it indicates that the user and password combination was correct, and the username and password will be written to the file, success.txt. After the success, the net use \\targetIP /del command is used to tear down the connection, because Windows will not allow multiple connections to a resource by the same user using a different username.

  1. If you are unsuccessful the first time, edit the pass.txt file to have different passwords and try again after the value specified in the Lockout Observation Window.

Leave a Reply

Your email address will not be published. Required fields are marked *